Re: AD Schema extension and ACLing

schemaIDGUID is required, but AD and ADAM will create one on the fly for you
if you don't specify one. From my perspective though, this is a bad thing.
The schemaIDGUID should be a fixed, published value, like the
attribute/class name and OID, as it is used in the ACLing system for
attributes and classes. You really want all instances of the same schema
object to have the same schemaIDGUID.

You can specify this attribute value (and any other binary value) to LDIF in
base64 format. It just so happens that I have a handy tool called
GuidConverter on the website for my book that will generate and convert
GUIDs into LDAP friendly formats such as octet strings, LDAP filter syntax
and Base64 (for just this purpose). It will give you a handy way to create
some guids, save them in your documentation somewhere and copy and paste
into your LDIF script. It is in the files section of the website in the
signature. You can also do this pretty easily with other tools. The code
is pretty trivial.

Regarding the default security descriptor stuff, I'm not sure how that works
with an aux class. I think the default security descriptor comes from the
concrete class. I don't know if that would get merged together with one
defined on an auxClass or not. It sounds unlikely to me.

What you might be best off doing would be to create a property set for the
attributes in question so that they can all be ACLed atomically. The
documentation in MSDN describes how to set this up. You can also create the
property set object via LDIF (although it isn't a schema object; it goes in
the extended rights container instead).

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Brad Turner [MIIS MVP]" <bradturner32@xxxxxxxxx> wrote in message
news:1158003127.650260.9400@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Paul,

Thanks for the reply - the example will work out great. I see that I
will need to make a few calls to schemaUpdateNow and I see an example
of the class defaultSecurityDescriptor so I should be able to export my
examples and weed out the unneeded lines.

Now in the MSDN reference under "Defining a new Attribute"
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/defining_a_new_attribute.asp)
they show a matrix that claims that schemaIDGUID is required but I
don't see how that is possible before creation - is that a doc bug?

Also, do you have any comments on the ACL problem of protecting the
custom attributes themselves from Read access?

Brad Turner, MIIS MVP

Paul Williams [MVP] wrote:
LDIFDE in export mode (default) will produce an LDIF file for you. It's
a
bit stupid and dumps a couple of constructed or system-only attributes
that
need to be excluded, e.g. whenChanged, but otherwise works fine.

If you have some schema extensions and want an LDIF file of those,
there's
also the schema analyser tool that ships with ADAM SP1 (R2).

An example can be found here:
--
http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx


Basically, you have something like this:

dn: cn=new-attr,cn=schema,cn=configuration,dc=domain-name,dc=com
changeType: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: newAttribute
attributeId: <ID goes here>
attributeSyntax: 2.5.5.3
omSyntax: 27
isSingleValued: TRUE

# reload the cache
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# class
dn: cn=new-class,cn=schema,cn=configuration,dc=domain-name,dc=com
changeType: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: newClass
governsId: <ID goes here>
objectClassCategory: 3
rDNAttID: cn
mayContain: newAttribute


--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net



.

Loading